1. The Field of the Invention
The present invention generally relates to network communications. More specifically, the present invention provides for throttling network connections to a service based on network paths or sub-paths for such communications.
2. Background and Related Art
The rapid growth of computer networks, both public and private, in recent years has been spurred in large part by “client/server computing.” In this model one computing device, the client, request that another computing device, the server, provide services or features to it. Note that the “client” and “server” are used solely to denote the parties in a request transaction. While some computing devices are implemented as dedicated services that can serve multiple clients, a client and a server can switch roles from one transaction to another. For instance, in a “peer-to-peer” network (common among, e.g., devices communicating via short range radio), every computing device has the potential to be both a client and a server serially or simultaneously.
Servers often have to allocate precious resources to fulfill a request for a feature or for a service. Upon receiving a request from a client, a server checks the availability of its resources. Traditionally, if the server does not have the resources to fulfill the request, then the server rejects the request. If the client can proceed without the requested feature or service then it does so and resubmits the request later, at which time the server may have the necessary resources available to fulfill the request.
In order to ensure that valuable server resources are dedicated to valid clients, the server needs a mechanism to determine the intent of the requests it receives. For example, a nefarious or malicious client could bring a “Denial of Service” (DoS) attack by repeatedly making requests of the server with the intent of overwhelming it. Although some systems require the client to authenticate itself (and its request will ultimately be rejected), the server may in the mean time utilize so many resources attempting to process the requests and/or authenticate the client that the server exhausts its resources pool until the server is rendered incapable of fulfilling any request, even those made by valid clients. Such DoS attacks can be equally as effective even for systems that don't require the client to authenticate itself.
One solution to above described DoS attacks is to limit the number of available or allowable requests or connections to a service based on the source of the request. For example, services or routers can monitor all of the requests they receive and if too many requests from one address are received in a short period of time, the service or router simply discards them without processing. Such a solution, however, does not take into account machines that have multiple IP addresses. In such instances, a malicious client can create multiple IP addresses for a particular machine and bombard the service with requests for connections with varying IP addresses so that it won't be able to be linked to one another.
Of course there are many forms or causes of what appear to be DoS attacks, some of which are not necessarily malicious but based instead on a simple overload of requests from valid clients that can authenticate. Accordingly, similar to a single machine with multiple IP addresses, merely discarding requests based on the monitoring of addresses will not control such overloads. As such, there exists a need for controlling connections or requests for connections to a service based on something other than simply monitoring IP addresses.